The Obama Administration took office promising a major effort to protect the government’s networks from attack. In part, the new team is building on efforts already in progress and today, one of the more important projects bore fruit with the publication of the Consensus Audit Guidelines by a consortium of federal agencies and private groups.
The draft guidelines released today list 20 key actions agencies and contractors must take to to prevent or mitigate attacks on their systems. It is intended to bolster existing procedures under the Federal Information Standards Management Act (FISMA), which have been criticized for judging agencies’ security efforts more on the quality of the reports they submit than on the actually security they achieve. If approved, the guidelines could become requirements for agencies and covered contractors—and best-practices examples for the rest of the private sector.
Unlike previous efforts, the Consensus Audit Guidelines are based on a study of actual attacks. The report includes automated techniques for dealing with 15 of the 20 attacks and defines tests to ascertain whether countermeasures are properly implemented.
The Consensus Audit Guidelines are part of the Center for Strategic & International Studies (CSIS) Commission on Cybersecurity for the 44th Presidency. Although this was designed as an effort to provide advice to the new President, no matter who he was, the leader of the project is John Gilligan, a former chief information officer of the Air Force who served on the Obama transition team.
The guidelines are based on the work of 10 government agencies, including the National Security Agency and several other Defense Dept. units., MITRE corp., the SANS Institute, and private security companies.